We have a small office with a Kyocera network copier. I learned last week- as I was going to add a new mailbox on it- that from the web browser, no log in is required to add- or edit- mailbox names, e-mail addresses or network paths for scan to folders. I was able to- without logging in at the browser- to change the e-mail address of anyone who had one set up to one either in or outside our domain. I could do the same with the network path. To make sure that I was magically logged in because of my network rights, I logged into the workstation with a guest account- same thing.
A call to the vendor who services the machines said that Kyocera acknowledged this issue but a fix wasn't in the offing. Their solution was to restrict access to the management webpage from specific machines by IP or disable the web page. Am I nuts or is this a giant security issue?
